Picture your house. Visualize all the things (and more importantly, the memories) you’ve made in it.
Now imagine you leave your house to go somewhere but you leave the door unlocked and before you get in your car, you put a sign in your yard advertising the fact that your home is unlocked.
Think that’s crazy?
It is and yet millions of online platforms powered by WordPress do this every single day. Site owners spend their valuable time carefully cultivating their content and creating memories with their readers only to leave the doors to their sites wide open.
Securing your online platform is probably not your top priority. After all, we’re all busy trying to write great content and getting the word out via social media, guest posting, etc. But if security is currently just an afterthought to you, I hope this article changes your mind to start taking it more seriously.
One of the most important things to understand about securing your site (or online security in general) is that there’s no such thing as total security. If someone wants your data or access to your site badly enough, they can probably get it. That being said, online security is similar to offline security in that there’s common sense steps you can take to secure your site and make it not worth a casual hacker’s time to try and penetrate.
It’s ironic that many of us don’t pay more attention to protecting our sites since we spend so much time trying to build them. Fortunately, you don’t have to have an IT degree to safeguard your site.
So without further ado, I present WordPress Security for Dummies: 5 easy steps to protect your site.
1) Stay Up To Date
WordPress 3.7 (Basie), brought about several way overdue security enhancements for the world’s most popular content management system. Security and maintenance updates occur automatically meaning if your site is running 3.7 or above, you no longer need to manually update the WordPress files which power your site.
That being said, you’ll still need to manually update your plugins to ensure they’re running the latest secure and stable builds.
In addition to automatically applying security and maintenance updates, 3.7 brought introduced better password standards and a new feature which shows you how strong your WordPress password is in real time. This new password strength meter (pictured above) detects weak and obvious password phrases (e.g. password1234) to show the strength of your password.
Which leads me to the next easy step you can take right now to protect your site…
2) Strong Username & Password
After you update your site, it’s time to a serious look at your usernames and passwords associated with it. This includes not only your WP admin credentials, but also supporting services such as any webmail, hosting, or 3rd party services like Gravatar. It’s all too easy to recycle passwords and if you’re even a moderate internet user, you likely have dozens, if not hundreds, of websites to remember for. Do yourself a favor and use a free password manager like LastPass or 1Password.
While we’re on the topic, remember that your user ID is another key piece of data that all too often is ignored from a security standpoint. Using obvious user ID’s like “admin” or “webmaster” is like giving a hacker half of your bank card PIN # and hoping they don’t figure out the other half.
3) Multi-Factor Authentication
Good (and hassle free) security doesn’t stop with a strong user ID and password. Now more than ever, it’s not just elite hackers that possess the capability to compromise your site’s security. Brute force password crackers can be easily purchased from black hat forums that are just a Google search away. Many of these tools can be utilized by simply following the instructions they come with.
Multi-factor authentication (MFA) is another simple way of hardening your website without adding any complicated or time consuming steps to logging in. With MFA, you need to have something to know (like a pin or unique password) and something to have (like a mobile phone or computer to receive the “something to know”).
MFA’s work like this:
You set up an account with a MFA service (Google, Yubikey, etc). You can do this on your laptop, desktop, or mobile device (like an Android smartphone or iPhone).
Next,install the MFA’s plugin on your WordPress site.
That’s it! Now, every time you logon, you need to enter the MFA unique credential in addition to your user ID and password.
It’s that easy and will add another layer of protection to your online platform.
Some of the most widely used MFA services are Google Authenticator and YubiKey.
4) Security Plugins
So far, I’ve listed simple steps you can easily do yourself to greatly enhance the security of your online platform. Fortunately, with the popularity of WordPress, developers have already created some great (not to mention, free) plugins to take care of some of the more technical security enhancements.
To keep things simple, I’ve listed a few of my favorite WordPress security plugins with a brief summary and a link to learn more if you’re interested in learning more about the technical feature of each one.
Better WP Security – among the most widely used WP security plugins, Better WP Security takes a multifaceted approach to hardening your site. This is a free plugin that helps hide common backend functionality from nosy visitors, scans your site for possible vulnerabilities, and offers a free backup service.
Wordfence Security – another widely implemented security plugin, Wordfence Security primarily focuses on scanning the traffic on your site, enforcing better password strengths, and blocking known IP addresses that are associated with spammers and malware bots. There’s also a cool option to view information about the visitors on your site in real time if you like to micromanage.
5) Backing Up Your Site
Depending on which security plugin you go with, you should still consider backing up your site.
Backing up your site is one of those things that sounds like a good idea (because it is) but is easily overlooked until it’s too late.
The most common 3 ways you can backup your site are:
Manually – if you have access to FTP and know (or want to learn how). This option puts the most control in your hands with regard to frequency and what exactly you want to backup, but is also the most cumbersome and time consuming of the 3 options.
Through your host (a reputable host should backup your files on a regular basis) or paid resiliency service like VaultPress.
Via a PHP based plugin – there are many backup plugins you can install via the admin panel that will backup your instance of WordPress. Two of the more highly rated (and actively updated) plugins are BackUpWordPress and BackWPup. Both are free of charge.
There’s several common misconceptions about why you care about the security of your site. This is especially true if your site is generating little to no revenue. Even if your online platform is just your personal blog to express yourself online, you wouldn’t want an enemy (or bored kid) to hack your site and replace your content with unflattering content.
This is a common type of petty hacking called hostile takeover in which someone gains access to your site and proceeds to try and wreck your reputation by posting porn, gorn, or politically incorrect material. It sounds petty (and it is), but it’s an unfortunate reality of being online.
If you have an ecommerce site or collect personal data from user registrations, you need to be even more vigilant about watching over the data your customers entrust you with.
Wrapping Things Up
So there you have it, WordPress Security for Dummies:5 easy steps to protect your site. Free of charge and hassle free. By following the 5 easy steps I’ve outlined in this article, you can harden your site and keep your hard work safe.
These 5 easy steps are just the basics of securing your WordPress site.
How about you? Have you taken any steps to making your site safer? If not, what’s holding you back? Drop me a comment below and share your thoughts so others can benefit from your knowledge!